# apps/exam_papers/permissions.py
from rest_framework import permissions
from django.core.exceptions import PermissionDenied

class IsAuthenticatedOrReject(permissions.BasePermission):
    """
    强制未认证用户返回 403 Forbidden（而不是 401 Unauthorized）
    用于隐藏 API 端点的存在，防止信息泄露
    """
    def has_permission(self, request, view):
        if not request.user or not request.user.is_authenticated:
            raise PermissionDenied("未认证用户无权访问此资源。")
        return True